Advocate Health Care to pay $5.6 million for potential HIPAA violations, the largest settlement yet for a single entity

OCR found the Illinois-based health system failed to conduct a thorough risk assessment and limit physical access to electronic health systems, among other infractions.
By Jessica Davis
03:22 PM

After multiple potential HIPAA violations involving electronic protected health information, Illinois-based Advocate Health Care Network has settled with the U.S. Department of Health and Human Services' Office of Civil Rights for $5.55 million.

Advocate has also agreed to adopt a corrective action plan, according to OCR, which calls this the largest HIPAA settlement against a single entity to date. It's the result of the "extent and duration of the alleged noncompliance," with some infractions dating back to the Security Rule's inception.

A corresponding investigation from the Illinois State Attorney General's corresponding investigation, along with the large number of patients whose information was affected by Advocate's noncompliance, also led to the settlement, officials said.

Learn on-demand, earn credit, find products and solutions. Get Started >>

The OCR investigation began in 2013, in response to Advocate's submission of three breach notification reports that pertained to separate events at Advocate Medical Group, a subsidiary of Advocate. Combined, these three breaches affected the ePHI of 4 million patients.

The results of the investigation revealed Advocate failed to conduct a thorough risk assessment to all ePHIs; did not implement policies to limit physical access to electronic information systems in its large data support center; didn't obtain written business associate contracts including assurances the entity would protect ePHIs in its possession; and left an unencrypted laptop locked overnight in a vehicle.

[Also: OCR cautions hospitals to prepare for breaches at business associates]

"We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals' ePHI is secure," OCR Director Jocelyn Samuels, said in a statement.

"This includes implementing physical, technical and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level."

UPDATE – Advocate has supplied a statement on the settlement to Healthcare IT News: "Protecting the privacy and confidentiality of our patients while delivering the highest level of care and service are our top priorities. As all industries deal with the ever-evolving digital landscape and the impact it has on security, we’ve enhanced our data encryption measures to prevent this type of incident from reoccurring. While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients. We continue to cooperate fully with the government to advance our patient privacy protection efforts."

Twitter: @JessieFDavis
Email the writer:

Like Healthcare IT News on Facebook and LinkedIn

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.